Email whenever security bug is filed



14 years ago
7 years ago


(Reporter: gerv, Assigned: gerv)





(2 attachments, 2 obsolete attachments)



14 years ago
We need custom code for b.m.o. to CC (on the initial
email only) when a bug is filed in the security group. While we are there, we
may as well do the same for and the Webtools security group.

Ideally, the security group would also get the email which is sent out whenever
that bit is removed from a bug, so they can see anyone making security bugs public.


Comment 1

14 years ago
Shaver: any further comments?

Severity: normal → major
Priority: -- → P2
Sounds good.  I'd also like a FIXED notification for any bug that had the bit
set in its lifetime, to aid in updating of the known-vuln list, but that's less
critical, I think.

Comment 3

14 years ago
That's also a bit harder to do. You'll just have to file the "bit-set"
notifications ;-)

That's a point, actually. We want a "bit-set" notification, not a "new bug with
the bit" notification, so the group gets an email when a bug is closed
post-filing. So what we actually want is a "bit-toggled" notification.

From an email thread I was involved in before I saw this bug:

It's pretty trivial to push an email onto the CC list for a bug for just that
first email from post_bug.cgi.  (push it onto the CC list after the bug is
written to the database but before it sends the email)

Unfortunately, the mail processing code will refuse to send mail to users that
don't exist (it'll just silently discard them).  And hacking an exception to
that is not exactly straightforward and stands a good chance of breaking things.
 Of course, if you want to go that route, that's trivial to get around by
creating a user with that email address.  On the other hand, it exposes that
email address to the general user population, because it'll show up in the "mail
sent to" thing after the bug is filed.

Another option:

Anyone remember whinemail?

We used to have mail sent to any bug in the NEW state that hadn't been touched
in the last 7 days.  Bugzilla still has the functionality, but it's long been
disabled on

It would probably be fairly trivial to clone that and change the query to look
up security bugs filed in the last 24 hours or something.

There's nothing that says it can't run hourly, either, if you want to know about
it that quickly.

Could also mail a report on open security bugs that haven't been touched some
set period of time, too.  The point is setting up whinemail again and
specializing it for this task is probably going to be much easier than hacking
process_bug and post_bug to mail under specific circumstances.

On the other hand, if we don't mind exposing those addresses (the existence of
this bug in public seems to indicate we don't), then creating an account for
them and manually pushing them on the recipient list when that bit is added or
removed is probably the easiest thing to do.

Comment 5

14 years ago
I'd go for the last option (creating an account and pushing the address when the
bit is toggled.) Both and are
public addresses.


Comment 6

14 years ago
Created attachment 153137 [details] [diff] [review]
Patch v.1

This should do it. I've tested it on my local installation by creating a couple
of groups of the same name, and checking the output of's logging.

The patch is against the tip, but that should probably be OK. It's also not too
intrusive, which is good.


Comment 7

14 years ago
Dave: any chance of a review? (This product doesn't have the appropriate flags.)

Created attachment 153138 [details] [diff] [review]
Patch v2

Looks good to me except for the enableSendmail = 0 at the top. :)

Also, this doesn't do anything with bugs that are initially filed as security
bugs.  Fortunately I already had that part written.

This combines my patch with yours.
Attachment #153137 - Attachment is obsolete: true

Comment 9

14 years ago
Looks good to me, although you should probably add a comment so it's totally
obvious that this is a local customisation when people come to do merging.

Ship it? :-)


Comment 10

14 years ago
Dave: ping? If this patch is good, can we apply it? The security-group rather
want this feature.

Doh, I thought it had been applied, but I guess it hadn't.

It has been now.
Last Resolved: 14 years ago
Resolution: --- → FIXED
Comment on attachment 153138 [details] [diff] [review]
Patch v2

>+push (@cc, "") if (grep {$_ == 2} @groupstoadd);
>+push (@cc, "") if (grep {$_ == 12} @groupstoadd);

[Wed Sep  1 21:39:37 2004] post_bug.cgi: Possible unintended interpolation of
@mozilla in string at /opt/webtools/bugzilla/post_bug.cgi line 468.
[Wed Sep  1 21:39:37 2004] post_bug.cgi: Possible unintended interpolation of
@bugzilla in string at /opt/webtools/bugzilla/post_bug.cgi line 469.
[Wed Sep  1 21:39:37 2004] [error] [client] malformed header from
script. Bad header=<pre>Global symbol &quot;@mozi:
[Wed Sep  1 21:39:37 2004] post_bug.cgi: Global symbol "@mozilla" requires
explicit package name at /opt/webtools/bugzilla/post_bug.cgi line 468.
[Wed Sep  1 21:39:37 2004] post_bug.cgi: Global symbol "@bugzilla" requires
explicit package name at /opt/webtools/bugzilla/post_bug.cgi line 469.
[Wed Sep  1 21:39:37 2004] post_bug.cgi: Execution of
/opt/webtools/bugzilla/post_bug.cgi aborted due to compilation errors.

I think you need either single quotes or a backslash before the @-sign.
>I think you need either single quotes or a backslash before the @-sign.

Indeed.  Fixed.
Created attachment 158269 [details] [diff] [review]
Patch v3 (2.19.1)

Revised patch, takes into account the bugs in the previous one, as well as
changing the address from security-group to security.
Attachment #153138 - Attachment is obsolete: true
Attachment #158269 - Attachment description: Patch v3 → Patch v3 (2.19.1)
Component: Bugzilla: Other b.m.o Issues → General
Product: →
You need to log in before you can comment on or make changes to this bug.